CN106850591A - Data markers apparatus and method - Google Patents

Abstract

The invention discloses a kind of data markers device, in residing in the webserver, including：Whether monitoring module, is adapted to detect for applying the edit operation performed to data；When the edit operation for applying execution to data is detected, whether the head of detection data has mark, and mark instruction data include external data and its position of the external data number and each external data that include in data；Data read module, is suitable to, when the head for detecting data has mark, at least one external data that the packet contains be obtained according to mark；And mark generation module, it is suitable to using each the new data for carrying out being obtained after edit operation to data, judging whether the new data include at least a portion external data at least one external data；If so, according to the new data and its external data for including, new mark is generated, and added in the head of new data.The invention also discloses a kind of data markers method.

Description

Data markers apparatus and method

Technical field

The present invention relates to field of information security technology, more particularly to a kind of data markers apparatus and method.

Background technology

As the developing rapidly of the network communications technology, the lasting in-depth of the Internet, applications, institute's carrying information become increasingly abundant, Internet has turned into the important infrastructure of human society.Increasing enterprise by the webserver in internet and The application being erected on the webserver provides a user with various products and service.But thing followed network security threats also day Become serious, cause very big concern of the people to network security.

Wherein, a large amount of lawless persons pass through extension horse, SQL injection, buffer overflow, sniff and taken using networks such as IIS The leak application server of business device is attacked, and so as to obtain the control authority of the webserver, is distorted in the network of offer Hold, and steal important internal data, malicious code can also be implanted into Web content so that visitor is encroached on.

And the security threat of network faces greatly comes from the data of the outside input that HTTP request is included, therefore Can be two classes by the data separation in the webserver handled by：Internal data and external data, wherein, by HTTP The data that request is sent to the webserver belong to external data.During application processing data, inside is clearly distinguished Data and external data, contribute to accurate and efficiently carry out security threat inspection.

Therefore, in the urgent need to a kind of scheme that can distinguish internal data and external data.

The content of the invention

Therefore, the present invention provides a kind of data markers scheme, to try hard to solution or at least alleviate exist above at least One problem.

According to an aspect of the invention, there is provided a kind of data markers device, in residing in the webserver, the device Including：Whether monitoring module, is adapted to detect for using performing edit operation to data, using can carry out edit operation to data To obtain at least one new data；When detecting using the edit operation performed to data, whether the head of detection data has There is a mark, mark indicates the data to include external data and its external data number for including and each external data in number Position in；Data read module, is suitable to, when the head for detecting data has mark, obtain packet according to mark and contain At least one external data；And mark generation module, it is suitable to carry out data application each that obtain after edit operation New data, judge whether the new data include at least a portion external data at least one external data；If so, According to the new data and its external data for including, new mark is generated, and added in the head of the new data.

According to another aspect of the present invention, there is provided a kind of data markers method, it is suitable to be performed in the webserver, should Method includes step：Whether detection application performs edit operation to data, using data can be carried out edit operation with To at least one new data；When detecting using the edit operation to data is performed, whether the head of detection data has Mark, mark indicates the data to include external data and its external data number for including and each external data described Position in data；When the head for detecting data has mark, obtained outside packet contains at least one according to mark Data；Each the new data for carrying out being obtained after edit operation to data to the application, judge whether the new data include There is at least a portion external data at least one external data；If so, according to the new data and its outside for including Data, generate new mark, and added in the head of new data.

Data markers scheme of the invention, is asked by detecting using reception, and the external number contained to request bag According to being marked, such that it is able to distinguish the external data by asking input.Further, by detecting using to having The data of mark carry out edit operation, mark are re-started to the new data by being generated after edit operation, such that it is able to area Separate and whether include external data in new data, it is to avoid loss marker causes to cannot distinguish between outside after because carrying out edit operation The situation of data or marked erroneous, realizes the clearly differentiation of internal external data, and precise and high efficiency, is easy to follow-up Security threat is checked.

Brief description of the drawings

In order to realize above-mentioned and related purpose, some illustrative sides are described herein in conjunction with following description and accompanying drawing Face, these aspects indicate the various modes that can put into practice principles disclosed herein, and all aspects and its equivalent aspect It is intended to fall under in the range of theme required for protection.By being read in conjunction with the figure following detailed description, the disclosure it is above-mentioned And other purposes, feature and advantage will be apparent.Throughout the disclosure, identical reference generally refers to identical Part or element.

Fig. 1 shows the structured flowchart of the network system 100 of an illustrative embodiments of the invention；

Fig. 2 shows the structured flowchart of the data markers device 200 of an illustrative embodiments of the invention；

Fig. 3 shows the flow chart of the data markers method 300 of an illustrative embodiments of the invention.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

Fig. 1 shows the structured flowchart of network system 100 according to one exemplary embodiment.Network system 100 can include client 110 and the webserver 120.The webserver 120 can be connected by network with client 110, And one or more applications that are stored with.When the webserver 120 receives the request from outside client 110, network Server 120 can call corresponding application to be processed.Wherein, request can be transmitted via http (s) agreements To the webserver 120.

Data markers device 200 of the invention is resided in the webserver 120, in the webserver 120 Using coupling, data markers device 200 can be corresponded to and marked with the data genaration for including external data for the treatment of, and is added to The head of data.Here, data markers device 200 can also be resident in the application, and the present invention is without limitation.

The mark of generation can indicate data include external data and its external data number for including and each outside Position of the data in data.An implementation method of the invention, mark can include that instruction data include external data The first field, indicate the second field of external data number and indicate each external data successively in number that data include 3rd field of starting position and end position in.

Wherein, the first field can generally take 4 bytes, and its value can be fixed value, such as 0XFFEDFF00.The Two fields can generally take 2 bytes, and its value is external data number, and span is usually 0~65535.

3rd field can include predetermined number group subfield, and predetermined number is external data number.Each group of subfield One external data of correspondence, one of subfield indicates starting position of the external data in data, and value can be should Relative to the side-play amount of data start position, another subfield indicates the external data in data for the starting position of external data In end position, value can be the external data side-play amount of the end position relative to data start position.

Each subfield can generally take 4 bytes (in 32-bit operating system) or 8 bytes (in 64 bit manipulations In system).Each group subfield is arranged in order according to its sequence of positions of corresponding external data in data, to constitute the 3rd word Section.

Fig. 2 shows the structured flowchart of the data markers device 200 of an illustrative embodiments of the invention.Such as Shown in Fig. 2, data markers device 200 includes monitoring module 210, data read module 220 and mark generation module 230.

Monitoring module 210 is mutually coupled with the application in the webserver 120, an implementation method of the invention, can To detect whether application is received from outside request.Specifically, can be by detecting whether application have invoked the function of correlation To determine whether the application have received from outside request.For example, RINIT (the runtime in PHP applications can be detected Initialization) whether function is performed.

When monitoring module 210 is detected using receiving from outside request, the data being connected with monitoring module 210 are read Modulus block 220 obtains the external data that the request bag contains, corresponding to complete using that can be operated to the external data of acquisition Logic.Here it is possible to all data that the request bag is contained are used as external data, it is also possible to which the configuration file according to application should The data that may be applied using in request are used as external data.

For example, it is assumed that being asked using a get using http agreements is received, the Uniform Resource Identifier of the request (URI) it is /example.com/a/b/cName=tony＆age=18, wherein name:tony、age:18 is query argument, Then can be by name:tony、age:18 obtain as external data.

After data read module 220 gets external data, the mark generation module being connected with data read module 220 230 can generate mark according to the external data.

It is apparent that due to all external datas of data of the acquisition of data read module 220, being retouched to mark according to above-mentioned State, it is 1 and the position of external data including external data, external data number that the mark for now generating can indicate the data It is set to the starting position of the data to end position.

Specifically, the first field value can be 0XFFEDFF00, and the second field value can be 1, indicate data to include External data number be 1, the 3rd field include one group of subfield, indicate starting position and the end position of the data, take Value can be respectively the length of 0 and the data.

After 230 pairs of external data generation marks of mark generation module, the mark is added to the head of the external data In.Then, application can continue to carry out the markd external data of the tool various operations to complete respective logic.Wherein have The external data of mark is as shown in the table.

Whether monitoring module 210 also detects the edit operation applied and perform to data, and edit operation here is to data The operation for making data produce any change such as replicated, intercepted, being cut into slices, being connected, for example, can be included in following operation extremely It is few one：One data is split into multiple new data, multiple data are pieced together a new data and replicates number According to.Using can data be carried out with above-mentioned edit operation to obtain at least one new data.

Specifically, using the function that correlation can be called when carrying out edit operation to data, monitoring module 210 can be by inspection Survey whether related function is called to determine the edit operation whether application is performed to data.

When monitoring module 210 is detected using the edit operation to data is performed, monitoring module 210 continues to detect the volume Collect the object that operation is performed --- whether the head of data has mark.Specifically, can by the head of detection data whether Including above-mentioned first field, whether there is mark with the head for determining data.If including the first field, it is determined that the head of data Portion has mark, otherwise determines the head of data without mark.

When monitoring module 210 detects the head of data without mark, then representing the data does not include external number According to, all internal datas, thus the data can be ignored.When the head that monitoring module 210 detects data has mark, Then representing the data includes external data.

Due to application to data executive editor operate after, can cause generation new data whether include external data with And the concrete condition of external data produces change, it is therefore desirable to which the new data including external data are re-flagged.

Data read module 220 can obtain at least one external data that the packet contains according to the mark for detecting. Specifically, it is determined that after the first field, the second field after the first field can be read to determine external data number, can To read the 3rd field after the second field to determine starting position and end position of each external data in data.This Sample, it is possible to the starting position in data and end position according to external data number and each external data, obtains number According to comprising at least one external data.

Then, mark generation module 230 can carry out each new data for being obtained after edit operation to data to application, Judge the new data whether include at least one acquired external data at least a portion external data.Specifically Ground, new data can be matched with least one external data for obtaining, if match hit, it is determined that the new data Including external data, otherwise determine that the new data do not include external data.

If it is determined that new packet contains at least a portion external data, then generation module 230 is marked according to the new number According to this and its comprising external data, generate new mark, and added in the head of the new data.Specifically, according to upper State the description to marking, however, it is determined that new packet contains at least a portion external data, mark generation module 230 first can be with The first field is generated, indicates the data to include external data.The number of external data can be then obtained, to generate the second word Section, finally obtains starting position and end position of each external data in data successively, generates the 3rd field.With mark New data can for example shown in following table.

So, external data can exactly be distinguished, it is to avoid can not because carrying out that loss marker after edit operation causes The situation of external data or marked erroneous is distinguished, the clearly differentiation of internal external data, and precise and high efficiency is realized, just In follow-up security threat inspection, such as when judging to show that data do not include external data, the data can not be pacified It is complete to threaten inspection, save resources.When judging to show that data include external data, then need to carry out security threat inspection to the data Look into.

Fig. 3 shows the flow chart of the data markers method 300 of an illustrative embodiments of the invention.As schemed Shown in 3, data markers method 300 is suitable to be performed in the webserver, and starts from step S310.

In step S310, whether detection application performs edit operation to data, using can be edited to data Operate to obtain at least one new data.Wherein, edit operation can include at least one of following operation：By a number According to splitting into multiple new data, multiple data pieced together new a data and replicate data.

When detecting using the edit operation to data is performed, in step s 320, whether the head of detection data has There is mark, the mark indicates the data to exist including external data and its external data number for including and each external data Position in data.An implementation method of the invention, mark can include indicate the data to include external data the One field, indicates the second field of the external data number that the packet contains and indicates each external data successively in data In starting position and end position the 3rd field.Wherein, the first field can take 4 bytes, and the second field can be accounted for With 2 bytes.So according to another implementation of the invention, step S320 can include：Whether the head of detection data Including the first field, whether there is mark with the head for determining data.

When detect data head have mark when, in step S330, according to the mark obtain packet contain to A few external data.Specifically, an implementation method of the invention, can read the second field to determine external data Number, reads the 3rd field to determine starting position and end position of each external data in data, and according to outside The starting position and end position of data amount check and each external data in data, obtain packet contains at least one External data.

Then, to application data are carried out with each the new data obtained after edit operation, in step S340, judging should Whether new data include at least a portion external data in above-mentioned at least one external data.If so, then in S350, According to the new data and its external data for including, new mark is generated, and added in the head of new data.

A step of implementation method of the invention, generation mark, can include：If it is determined that packet contains outside Data, then generate the first field, then obtains the external data number that the packet contains, to generate the second field, finally according to The secondary starting position and end position for obtaining each external data in the data, to generate the 3rd field.

According to another implementation of the invention, data markers method 300 can also include step：Whether detection application Receive from outside request, when detecting using receiving from outside request, obtain the external data that request bag contains, should With can be operated to complete respective logic to the external data.Generated finally according to the external data and marked, and be added to In the head of external data.

Above to each step in the specific descriptions of principle of Fig. 1~Fig. 2 explanation data markers device 200 are combined Respective handling is explained in detail, and no longer duplicate contents are repeated here.

It should be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, it is right above In the description of exemplary embodiment of the invention, each feature of the invention be grouped together into sometimes single embodiment, figure or In person's descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required for protection hair The bright feature more features required than being expressly recited in each claim.More precisely, as the following claims As book reflects, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows specific real Thus the claims for applying mode are expressly incorporated in the specific embodiment, and wherein each claim is in itself as this hair Bright separate embodiments.

Those skilled in the art should be understood the module or unit or group of the equipment in example disclosed herein Part can be arranged in equipment as depicted in this embodiment, or alternatively can be positioned at and the equipment in the example In one or more different equipment.Module in aforementioned exemplary can be combined as a module or be segmented into multiple in addition Submodule.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection is appointed One of meaning mode can be used in any combination.

Additionally, some in the embodiment be described as herein can be by the processor of computer system or by performing The combination of method or method element that other devices of the function are implemented.Therefore, with for implementing methods described or method The processor of the necessary instruction of element forms the device for implementing the method or method element.Additionally, device embodiment Element described in this is the example of following device：The device is used to implement as performed by the element for the purpose for implementing the invention Function.

The present invention can also include：A6, the device as any one of A3-5, wherein, the mark generation module is fitted In if it is determined that at least a portion external data during packet contains at least one external data, then generate the first field； The external data number that the packet contains is obtained, to generate the second field；Each external data is obtained successively in the data Starting position and end position, to generate the 3rd field.A7, the device as any one of A3-6, wherein, described One field takes 4 bytes, and the second field takes 2 bytes.A8, the device as any one of A1-7, wherein, the volume Collecting operation includes at least one of following operation：One data is split into multiple new data；And spell multiple data One new data of synthesis.

B14, the method as any one of B11-13, wherein, it is described generation mark the step of include：If it is determined that data Include external data, then generate the first field；The external data number that the packet contains is obtained, to generate the second field； Starting position and end position of each external data in the data are obtained successively, to generate the 3rd field.B15, such as Method any one of B11-14, wherein, first field takes 4 bytes, and the second field takes 2 bytes. B16, the method as any one of B9-15, wherein, the edit operation includes at least one of following operation：By one Individual data split into multiple new data；And multiple data are pieced together into a new data.

As used in this, unless specifically stated so, come using ordinal number " first ", " second ", " the 3rd " etc. Description plain objects are merely representative of and are related to the different instances of similar object, and are not intended to imply that the object being so described must Must have the time it is upper, spatially, sequence aspect or given order in any other manner.

Although the embodiment according to limited quantity describes the present invention, above description, the art are benefited from It is interior it is clear for the skilled person that in the scope of the present invention for thus describing, it can be envisaged that other embodiments.Additionally, it should be noted that The language that is used in this specification primarily to readable and teaching purpose and select, rather than in order to explain or limit Determine subject of the present invention and select.Therefore, in the case of without departing from the scope of the appended claims and spirit, for this Many modifications and changes will be apparent from for the those of ordinary skill of technical field.For the scope of the present invention, to this The done disclosure of invention is illustrative and not restrictive, and it is intended that the scope of the present invention be defined by the claims appended hereto.

Claims (10)

1. a kind of data markers device, resides in the webserver, and described device includes：

Monitoring module, is suitable to

Whether detection application performs the edit operation to data, and the application can carry out edit operation to obtain at least to data One new data；

When detecting using the edit operation performed to data, whether the head of the detection data has mark, the mark Indicating the data includes external data and its position of the external data number and each external data that include in the data Put；

Data read module, is suitable to

When the head for detecting the data has mark, obtained outside the packet contains at least one according to the mark Portion's data；And

Mark generation module, is suitable to

Each the new data for carrying out being obtained after edit operation to data to the application,

Judge the new data whether include at least one external data at least a portion external data；

If so, according to the new data and its external data for including, new mark is generated, and added to the new data Head in.

2. device as claimed in claim 1, wherein,

The monitoring module is further adapted for whether detection application is received from outside request；

The data read module is further adapted for, when the application reception is detected from outside request, obtaining the request bag The external data for containing, the application can be operated to complete respective logic to the external data；

The mark generation module is further adapted for being generated according to the external data and marks, and added to the head of the external data In.

3. device as claimed in claim 1 or 2, wherein, the mark includes indicating the data including external data first Field, the second field for indicating the external data number that the packet contains and each external data is indicated successively in data Starting position and end position the 3rd field.

4. device as claimed in claim 3, wherein, the monitoring module is suitable to

Whether whether include first field, have mark with the head for determining the data if detecting the head of the data.

5. the device as described in claim 3 or 4, wherein, the data read module is suitable to

The second field is read to determine external data number；

The 3rd field is read to determine starting position and end position of each external data in data；And

The starting position in data and end position according to external data number and each external data, obtain the number According to comprising at least one external data.

6. a kind of data markers method, is suitable to be performed in the webserver, and methods described includes step：

Whether detection application performs the edit operation to data, and the application can carry out edit operation to obtain at least to data One new data；

Whether when detecting using the edit operation to data is performed, detecting the head of the data has mark, the mark Note indicates the data to include external data and its external data number for including and each external data in the data Position；

When the head for detecting the data has mark, obtained outside the packet contains at least one according to the mark Portion's data；

Each the new data for carrying out being obtained after edit operation to data to the application,

Judge the new data whether include at least one external data at least a portion external data；

If so, according to the new data and its external data for including, new mark is generated, and added to the new data Head in.

7. method as claimed in claim 6, wherein, methods described also includes step：

Whether detection application is received from outside request；

When the application reception is detected from outside request, the external data that the request bag contains, the application are obtained Can the external data be operated to complete respective logic；

Generated according to the external data and marked, and added in the head of the external data.

8. method as claimed in claims 6 or 7, wherein, the mark includes indicating the data including external data first Field, indicates the second field of the external data number that the packet contains and indicates each external data successively in data Starting position and end position the 3rd field.

9. method as claimed in claim 8, wherein, wrap the step of whether the head of the detection data has mark Include：

Whether whether include first field, have mark with the head for determining the data if detecting the head of the data.

10. method as claimed in claim 8 or 9, wherein, it is described that at least one external number that packet contains is obtained according to mark According to the step of include：

The second field is read to determine external data number；

The 3rd field is read to determine starting position and end position of each external data in data；And

The starting position in data and end position according to external data number and each external data, obtain the number According to comprising at least one external data.